What the EU's sweeping new data protection and privacy law means for you
In this Nov. 7, 2017, file photo, an unidentified man is silhouetted as he walks in front of Microsoft logo at an event in New Delhi, India. (AP Photo/Altaf Qadri, File)
You may have noticed your email inbox overflowing this month with emails from companies and apps—from Quora to Ticketmaster to Apple to Spotify—appealing to let them keep in touch with you and outlining changes to their privacy policies.
That’s because on May 25th, the General Data Protection Regulation, Europe’s landmark new set of data rules, will go into effect.
The 99 articles contained in the 88 pages of the GDPR represent the most extensive overhaul of data protection rules in Europe in a generation—and they affect companies and consumers in Europe and beyond, including Canadians.
Ann Cavoukian, who served three terms as Ontario’s privacy commissioner, said in an interview with CTVNews.ca that the GDPR is “a game changer,” particularly at a time when “concern for privacy is at an all-time high.”
What is the GDPR?
The GDPR was designed to tighten and harmonize data privacy laws across Europe and to give individual consumers enhanced data protection rights and more control over how their data is used.
Supporters of the legislation say that recent revelations about how the now-defunct political consulting firm Cambridge Analytica may have acquired the data of 87 million Facebook users in a possibly nefarious fashion highlight the need for it.
Though the European Parliament and the European Council adopted the legislation in April 2016, they gave countries and companies a two-year grace period to allow them to prepare for and implement the sweeping changes.
The legislation makes “privacy by design,” a framework designed by Cavoukian, mandatory, and requires any requests for consent to process personal data to be easy to find and written in plain language.
“Privacy is the default,” said Cavoukian. “Instead of you having to scour to find the opt-out box, it’s the exact opposite.”
Firms can collect only the data necessary for their services to work and if they wish to use data for a different purpose, they must obtain consent from users.
They will have to appoint data protection officers and provide notice to regulators and consumers of any data breaches within 72 hours, a dramatic change from the way companies like Equifax and Uber have responded to such breaches in the past.
Consumers covered under the law can demand to view—for free—all of the data a company has about them and how it’s being used.
They can also request to have their data deleted or corrected, and will be able to download their data and take it elsewhere, such as from one music streaming service to another.
The GDPR covers both personal data, like your name and phone number, as well as personal sensitive data, like your religion or criminal record.
What happens if companies don’t apply?
Penalties for non-compliance include limits and outright bans on data processing and compulsory audits of data handling.
Regulators will also look to hit the pocket books: Companies can be fined up to 4 per cent of their global revenue or €20 million, whichever is larger.
Why does this European law affect Canada?
The GDPR applies to everyone from big multinationals to small, family-owned businesses, and from nonprofits to entrepreneurs, irrespective of where they are located as long as their business targets users in the EU.
Though companies only have to comply with the new rules with respect to their European customers, some—like Microsoft—say it will be unfeasible to have more than one set of rules around the world and are choosing instead to implement one standard universally.
Beth Dewitt, the Canadian leader for data protection and privacy at Deloitte, said in an interview with CTVNews.ca that eventually, the GDPR could become “a global standard” for data privacy and protection legislation. Governments in Argentina and Japan are already beginning to align their national data protection policies with the law.
Many large Canadian companies are “well down the path towards compliance with the GDPR or are compliant,” Dewitt said, but some smaller ones “are just waking up to it right now.”
How does the GDPR compare to Canadian data privacy laws?
The European law is much stronger than its Canadian equivalent, the Personal Information Protection and Electronic Documents Act.
Canadian companies that must comply with the GDPR are finding there is “an uplift” in their privacy requirements when it comes to individual consumer rights such as the right to be forgotten or the right to take their data elsewhere, said Dewitt.
Canada’s new federal data breach regulations, for instance, which will be implemented in November, require companies to report security breaches that pose a “real risk of significant harm” to the federal privacy commissioner and consumers “as soon as feasible”—a less strict standard than the 72 hour timeline outlined in the GDPR.
“With the GDPR, our laws are now lacking,” Cavoukian said, adding that the inferiority of Canada’s legislation makes her optimistic that there will be “a real push to upgrade our laws here.”
“It would be almost like a step back for us not to raise the bar as well,” she said.
With files from the Canadian Press